Re: CAPTCHA system in webDNA

This WebDNA talk-list message is from

2005


It keeps the original formatting.
numero = 60818
interpreted = N
texte = Hi Bill, Your proposed method looks like a good extension of my suggestion, especially the use of a randomly generated password. [cart] creates a value that looks too much like a number sometimes, and this might encourage hackers to run a brute force test on the page that's posted in the email. I also use a technique similar to the one Dan got from Brian Fries to generate virtually unique values, but I extend it even further by making the number of characters in each generated password value a random number between (for example) 10 and 20 characters. Then the hacker has one additional variable to deal with if he tries a brute force attack. I also like your idea to disable access to the page after X attempts from the same ip address within a pre-determined time period, because that would even further deter a brute force attack. After all, the valid password is already in the URL, which means the visitor from a specific ip address *should* get the password right on his very first attempt -- but certainly after a handful of failures this page should be 'turned off' for that ip address for an hour or so, and asking the visitor to try again later. Sincerely, Kenneth Grome www.kengrome.com >-----Original Message----- >From: Kenneth Grome >Sent: Thu, 20 Jan 2005 00:12:48 +0800 >To: "WebDNA Talk" >Subject: Re: CAPTCHA system in webDNA > >You're trying to prevent automatic email deletion from an opt-in mailing list? > >I wouldn't mess with the system you're suggesting at all. Instead >when the visitor enters his (or someone else's) email address into >the email field in your unsubscribe form, I would enter a unique >value into the 'unsubscribe' field of his database record: > >[replace db=subscribers.db&eqemaildatarq=[email]]unsubscribe=[cart][/replace] > >.. and then in the same template I would send the visitor an email >message with a URL that has that same unique value in it, like this: > > >************************************ >"Someone entered your email address into the >UNSUBSCRIBE page on our web site. If that person >was you, and if you really want to unsubscribe, just >click this link and we will unsubscribe you immediately:" > >http://domain.com/page.html?out=[cart] > >"But if you do NOT want to unsubscribe from our list, >please just ignore this message, thanks." >************************************ > > >The person who receives this email message may (or may not ) click >that link. If he clicks the link, your webdna code simply deletes >the only record in the subscribers database that has that unique >'out' value in the unsubscribe field: > >[delete db=subscribers.db&equnsubscribedatarq=[out]] > >Simple and efficient, and no images or other non-webdna tricks required. > >:) > >Sincerely, >Kenneth Grome >www.kengrome.com -- ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: CAPTCHA system in webDNA ( Justin Carroll 2005)
  2. Re: CAPTCHA system in webDNA ( Kenneth Grome 2005)
  3. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  4. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  5. Re: CAPTCHA system in webDNA ( devaulw@onebox.com 2005)
  6. Re: CAPTCHA system in webDNA ( Kenneth Grome 2005)
  7. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  8. Re: CAPTCHA system in webDNA ( devaulw@onebox.com 2005)
  9. Re: CAPTCHA system in webDNA ( Kenneth Grome 2005)
  10. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  11. Re: CAPTCHA system in webDNA ( Justin Carroll 2005)
  12. Re: CAPTCHA system in webDNA ( Clint Davis 2005)
  13. Re: CAPTCHA system in webDNA ( Kenneth Grome 2005)
  14. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  15. Re: CAPTCHA system in webDNA ( Justin Carroll 2005)
  16. CAPTCHA system in webDNA ( devaulw@onebox.com 2005)
Hi Bill, Your proposed method looks like a good extension of my suggestion, especially the use of a randomly generated password. [cart] creates a value that looks too much like a number sometimes, and this might encourage hackers to run a brute force test on the page that's posted in the email. I also use a technique similar to the one Dan got from Brian Fries to generate virtually unique values, but I extend it even further by making the number of characters in each generated password value a random number between (for example) 10 and 20 characters. Then the hacker has one additional variable to deal with if he tries a brute force attack. I also like your idea to disable access to the page after X attempts from the same ip address within a pre-determined time period, because that would even further deter a brute force attack. After all, the valid password is already in the URL, which means the visitor from a specific ip address *should* get the password right on his very first attempt -- but certainly after a handful of failures this page should be 'turned off' for that ip address for an hour or so, and asking the visitor to try again later. Sincerely, Kenneth Grome www.kengrome.com >-----Original Message----- >From: Kenneth Grome >Sent: Thu, 20 Jan 2005 00:12:48 +0800 >To: "WebDNA Talk" >Subject: Re: CAPTCHA system in webDNA > >You're trying to prevent automatic email deletion from an opt-in mailing list? > >I wouldn't mess with the system you're suggesting at all. Instead >when the visitor enters his (or someone else's) email address into >the email field in your unsubscribe form, I would enter a unique >value into the 'unsubscribe' field of his database record: > >[replace db=subscribers.db&eqemaildatarq=[email]]unsubscribe=[cart][/replace] > >.. and then in the same template I would send the visitor an email >message with a URL that has that same unique value in it, like this: > > >************************************ >"Someone entered your email address into the >UNSUBSCRIBE page on our web site. If that person >was you, and if you really want to unsubscribe, just >click this link and we will unsubscribe you immediately:" > >http://domain.com/page.html?out=[cart] > >"But if you do NOT want to unsubscribe from our list, >please just ignore this message, thanks." >************************************ > > >The person who receives this email message may (or may not ) click >that link. If he clicks the link, your webdna code simply deletes >the only record in the subscribers database that has that unique >'out' value in the unsubscribe field: > >[delete db=subscribers.db&equnsubscribedatarq=[out]] > >Simple and efficient, and no images or other non-webdna tricks required. > >:) > >Sincerely, >Kenneth Grome >www.kengrome.com -- ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

ftp access on Macos X (2000) Counting, Percentages and Chart Display (2002) Banner DNA (1997) Duplicates (1998) WebDNA for Dummies (2003) Show if not working in version 4 (2002) RE: Fishing: anyone on this group willing to do support? (1998) Part 2 - [showif] if variable exists (1998) Real-Time Credit Card Processing - OnCommerce from OuterNet (1998) select multiple (1997) Help! WebCat2 bug (Ben's input) (1997) Nutscrape Doesn't Render Right (2002) TaxTotal (2003) WC2b15 File Corruption (1997) Attn: Bug in GeneralStore example b15 (1997) -tmp (2000) Weird problems with [SHOWIF]s (1997) Snake Bites (1997) Appending current [date] to a database (1997) Formulas.db + Users.db (1997)